From f413e38e42e64fde91670726f727471359f41077 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Sun, 28 Jan 2024 04:21:12 +0100 Subject: [PATCH] demux_mkv: don't return null bstr with size specified Such bstr object are not valid. Also reject empty blocks. Found by fuzzing. --- demux/demux_mkv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c index 50f4c78b25..5440c6af1e 100644 --- a/demux/demux_mkv.c +++ b/demux/demux_mkv.c @@ -406,6 +406,8 @@ static bstr demux_mkv_decode(struct mp_log *log, mkv_track_t *track, talloc_free(src); if (!size) dest = NULL; + if (!dest) + size = 0; return (bstr){dest, size}; } @@ -2072,6 +2074,8 @@ static void probe_x264_garbage(demuxer_t *demuxer) bstr sblock = {block->laces[0]->data, block->laces[0]->size}; bstr nblock = demux_mkv_decode(demuxer->log, track, sblock, 1); + if (!nblock.len) + continue; sh->codec->first_packet = new_demux_packet_from(nblock.start, nblock.len); talloc_steal(mkv_d, sh->codec->first_packet); @@ -2834,6 +2838,8 @@ static int handle_block(demuxer_t *demuxer, struct block_info *block_info) bstr block = {data->data, data->size}; bstr nblock = demux_mkv_decode(demuxer->log, track, block, 1); + if (!nblock.len) + break; if (block.start != nblock.start || block.len != nblock.len) { // (avoidable copy of the entire data)